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Abstract 



In this paper, we address the problem of defining a fixpoint semantics for Constraint 
Handling Rules (CHR) that captures the behavior of both simplification and propagation 
rules in a sound and complete way with respect to their declarative semantics. Firstly, 
we show that the logical reading of states with respect to a set of simplification rules can 
be characterized by a least fixpoint over the transition system generated by the abstract 
operational semantics of CHR. Similarly, we demonstrate that the logical reading of states 
with respect to a set of propagation rules can be characterized by a greatest fixpoint. Then, 
in order to take advantage of both types of rules without losing fixpoint characterization, 
we present an operational semantics with persistent. We finally establish that this semantics 
can be characterized by two nested fixpoints, and we show the resulting language is an 
elegant framework to program using coinductive reasoning. 

KEYWORDS: CHR, coinduction, fixpoint, declarative semantics, persistent constraints. 



Owing to its origins in the tradition of Constraint Logic Programming (CLP) (Jaf- 
far and Lassez 1987), Constraint Handling Rules (CHR) (Friihwirth 1998) feature 
declarative semantics through direct interpretation in classical logic. However, no 
attempt to provide fixpoint semantics to the whole language, sound and complete 
w.r.t. this declarative semantics has succeeded so far. This is particularly surprising 
considering that the fixpoint semantics is an important foundation of the declarative 
semantics of CLP. It is perhaps because CHR is the combination of two inherently 
distinct kinds of rules that this formulation is not so simple. On the one hand, the 
so-called Constraint Simplification Rules (CSR) replace constraints by simpler ones 
while preserving their meaning. On the other hand, the so-called Constraint Prop- 
agation Rules (CPR) add redundant constraints in a monotonic way. Even though 
in the declarative semantics the two notions merge, one of the main interests of 
the language comes from the explicit distinction between the two. Indeed, it is well 
known that propagation rules are useful in practice but have to be managed in 
a different way from simplification rules to avoid trivial non-termination. (See for 
instance explanations by Friihwirth (2009) or Betz et al. (2010).) 

Soundness of the operational semantics of CSR (i.e. to each derivation corre- 
sponds a deduction) have been proved by Friihwirth (2009), while completeness 
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(i.e. to each deduction corresponds a derivation) has been tackled by Abdcnnadhcr 
et al. (1999). However, it is worth noticing that the completeness result is limited to 
terminating programs. On the other hand, the accuracy of CPR w.r.t. its classical 
logic semantics is only given through its naive translation into CSR. Since any set of 
propagation rules trivially loops when seen as simplification rules, the completeness 
result does not apply to CPR. 

It is well known that termination captures least fixpoint (l.f.p.) of states of a 
transition system. Quite naturally, non-termination captures the greatest fixpoint 
(g.f.p.). Starting from this observation, we show in this paper that if they are con- 
sidered independently, CSR and CPR can be characterized by a l.f.p. (or inductive) 
and g.f.p. (or coinductive) semantics respectively, providing along the way the first 
completeness result for CPR. Then, in order to take advantage of both types of 
rules without losing fixpoint characterization, we present an operational semantics 
u>h similar to the one recently proposed by Betz et al. (2010). Subsequently we 
demonstrate that this new semantics can be characterized by two nested fixpoints 
and can be implemented in a simple manner to provide the first logically complete 
system (w.r.t. failures) for a segment of CHR with propagations rules. We show as 
well this semantics yields an elegant framework for programming with coinductive 
reasoning on infinite (or non-well founded) objects (Barwise and Moss 1996). 

The remainder of this paper is structured as follows: Section 2 states the syntax 
of CHR and summarizes several semantics. In Section 3, we present two fixpoint 
semantics for CHR. We show these semantics, which built over the transition system 
induced by the abstract operational semantics of CHR, offer a characterization of 
logical reading of queries w.r.t. CSR and CPR, respectively. In Section 4, we define 
semantics with persistent constraints related to the one recently introduced by 
Betz et al. (2010). We prove this new operational semantics can be characterized 
by a l.f.p. nested within a g.f.p., and give an implementation via a source-to-source 
transformation. Finally, in Section 5, we illustrate the power of the language before 
concluding in Section 6. 

2 Preliminaries on CHR 

In this section, we introduce the syntax, the declarative semantics and two different 
operational semantics for CHR. In the next sections, both operational semantics will 
be used, the former as theoretical foundation for our different fixpoint semantics, 
and the latter as a target to implementation purposes. 

2. 1 Syntax 

The formalization of CHR assumes a language of built-in constraints containing the 
equality =, false, and true over some theory C and defines user- defined constraints 
using a different set of predicate symbols. In the following, we will denote variables 
by upper case letters, X, Y, Z, . . . , and (user-defined or built-in) constraints by 
lowercase letters c, d, e . . . By a slight abuse of notation, we will confuse conjunction 
and multiset of constraints, forget braces around multisets and use comma for 
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multiset union. We note fv(4>) the set of free variables of any formula <j>. The notation 
~3_x<fr denotes the existential closure of <j> with the exception of variables in X, which 
remain free. In this paper, we require the non-logical axioms of C to be coherent 
formula (i.e. formulas of the form V(C — > 3Z.O), where both C and D stand for 
possibly empty conjunctions of built-in constraints). Constraint theories verifying 
such requirements correspond to Saraswat's simple constraints systems (1991). 
A CHR program is a finite set of eponymous rules of the form: 

r @ K\H G | C,B 

where K (the kept head), H (the removed head) are multisets of user-defined con- 
straints respectively G (the guard) is a conjunction of built-in constraints, C is a 
conjunction of built-in constraints, B is a multiset of user-defined constraints and, 
r (the rule name) is an arbitrary identifier assumed unique in the program. Rules, 
where both heads are empty are prohibited. Empty kept-head can be omitted to- 
gether with the symbol \. The local variables of rule are the variables occurring in 
the guard and in the body but not in the head that is lv(r) = fv(G, C, B) \fv(K, H). 
CHR rules are divided into two classes: simplification rules if the removed head is 
non empty and propagation rules otherwise. Propagation rules can be written using 
the alternative syntax: 

r @K => G | C,B 

A CHR state is a tuple (C;E; X), where C (the CHR store) is a multiset of CHR 
constraints, E (the built-in store) is a conjunction of built-in constraints, and X (the 
global variables) is a set of variables. In the following, T will denote the set of states 
and Hb the set of answers (i.e. states of the form (0; C; X)). A state is consistent if 
its built-in store is satisfiable within C (i.e. there exists an interpretation of C which 
is a model of 3C), inconsistent otherwise. 

2.2 Declarative semantics 

We state now the declarative semantics of CHR. The logical reading of a rule and 
a state is as follows: 

Rule: K\H^G|C,B V((K A G) -> (H ^ 3_ fv(KiH) (G A C A B))) 
State: (C;E;X) 3_^(CAE) 

CP, the logical reading of a program V within a constraint theory C is the conjunc- 
tion of the logical readings of the rules of V with the constraint theory C. 

2.3 Equivalence-base operational semantics 

Here, we recall the equivalence-based operational semantics cv e of Raiser et al. (2009) . 
It is similar to the very abstract semantics u a of Friihwirth (2009), the most general 
operational semantics of CHR. We prefer the former because it includes an explicit 
notion of equivalence, that will simplify many formulations. Because this is the 
most abstract operational semantics we consider in this paper, we will refer to it as 
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the abstract (operational) semantics. For the sake of generality, we present it in a 
parametric form, according to some sound equivalence relation. 

We will say that an equivalence relation =j is (logically) sound if two states equiv- 
alent w.r.t. =i have logically equivalent readings in the theory C. The equivalence 
class of some state a by =i will be noted \a\i. For a given program V and a sound 
equivalence =j, the =i-transition relation, noted is the least relation satisfying 
the following rules: 

(r @ K\H G|C, B) € lv(r) fll = f) 01 =* < a[ A, cr^ cr^ = { a 2 
(K, H, O; G A E; X) A; (C, K, D; B A G A E; X) o x a 2 

where p is a renaming. If such transition is possible with H = 0, we will say that the 
tuple r@(K; G A E; X) is a propagation redex for the state a. The transitive closure 
of the relation (-^>j U ={) is denoted by . A =i-derivation is a finite or infinite 
sequence of the form o\ . . . cr rl -^», ... A ^-derivation is consistent if so 
are all the states constituting it. A =i-transition is confluent if whenever a — o~\ 
and a a 2 hold, there exists a state a' such that <7i u' and er 2 c' hold 
as well. 

The abstract equivalence is the least equivalence = a defined over £ verifying: 

1. (C;Y = t AD;X) =„ (G[Y\t];Y = t AD;I) 

2. (C; false; A) =„ (©; false; A) 

3. (C; D; X) ^ a (C; E; X) if C N 3_ fv(CjJ?) (D) O 3_ fv(c ^)(E) 

4. (C;E;X) = a (C; E; {Y} U A) where Y £ fv(C,E). 

Note that this equivalence is logically sound (Raiser et al. 2009). For a given pro- 
gram V, the abstract transition systems is defined as the tuple (£, ^ a ). 



2-4 Concrete operational semantics 

This section presents the operational semantics oo p of de Koninck et al. (2007). 
In this framework rules are annotated with explicit priorities that reduce the non- 
determinism in the choice of the rule to apply. As initially proposed by Abdcnnadhcr 
(1997), this semantics includes a partial control that prevents the trivial looping 
of propagation rules by restricting their firing only once on same instances. By 
opposition to the abstract semantics, we will call it concrete ( operational) semantics. 

An identified constraint is a pair noted c#i, associating a CHR constraint c with 
an integer i. For any identified constraints, we define the functions chr(c#?) = c 
and id(c#i) = i, and extend them to sequences and sets of identified constraints. 
A token is a tuple (r,T), where r is a rule name and T is a sequence of integers. 
A concrete CHR state is a tuple of the form «C; B; E; T»„ where C is a multiset 
of CHR and built-in constraints, D is a multiset of identified constraints, E is a 
conjunction of built-in constraints, T is a set of tokens and n is an integer. We 
assume moreover that the identifier of each identified constraints in the CHR store 
is unique and smaller than n. For any program V, the concrete transition relation, 
^-> c , is defined as following: 



( Co- )Inductive semantics for Constraint Handling Rules 



5 



Solve «c, C; D; E; T))* ^ c ((C; B;cAE; T))* 

if c is a built-in constraint and C\= V((c AB)f> B'). 

Introduce ((c, C; D; E; T}}* A c ((C; c#n, D; E; T}}^ +1 
if c is a CHR constraint 

Apply ((0; K, H, E; C; T))f A c ((B, G; K, ©; C A 0; * U T))f 

if (p :: r @ K'\H' <^=> G | B) is a rule in V of priority p renamed with fresh vari- 
ables, 6 is a substitution such that chr(K) = K'9, chr(H) = W6, t = (r, id(K, H)), 
i <^ T, C is satisfiable within C, and C N V(C — > 3(8 A G)). Furthermore, no rule 
of priority bigger than p exists for which the above conditions hold. 



3 Transition system semantics for pure CSR and CPR 

In this section, we propose a fixpoint semantics for both CSR and CPR programs. 
We call it transition system semantics because it is defined as a fixpoint over the 
abstract transition system, built in a way similar to /i-calculus formula (Clarke 
et al. 2000). The proofs of this section are only sketched. Detailed versions can be 
found in a technical report (Hacmmcrle 2011). 

Before formally introducing the semantics, we recall some standard notation and 
results about fixpoints in an arbitrary complete lattice (£, D, D, U, T, _L). 1 . A func- 
tion /:£—>£ is monotonic if f(X) D ,f{y) whenever X D y. An element X e C is 
a fixpoint for if ,f(X) = X. The least fixpoint (resp. the greastest fixpoint) 

of / is its fixpoint X satisfying y Z) X (resp. y C X) whenever 3^ is a fixpoint for 
/. It is denoted by fiX.f(X) (resp. vX.f(X)). Tarski's (1995) celebrated fixpoint 
theorem ensures that monotonic functions have both a least and a greatest fixpoint. 



3.1 Inductive semantics for CSR 

In this section, we give a first fixpoint semantics limited to CSR. It is call inductive, 
since it is defined as a lfp. 

Definition 3.1 (Inductive transition system semantics for CSR) 

For a given program V and an given sound equivalence relation =j, the existential 

immediate cause operator (V) i : 2 s — > 2 s is defined as: 

(V) i (X) = {a e S | there exists a' £ S such that a ^, a' and a' G X} 

The inductive (transition system) semantics of a CSR program Q is the set: 

T C (Q) = nX.({Q) a (X) U (E 6 \ [(0; false; 0}] o )) 

The existential immediate cause operator being clearly monotonic, Tarski's the- 
orem ensures the inductive semantics of a CSR program is well defined. For a given 
program V, J rC (V) is exactly the set of states that can be rewritten by V to a 
consistent answer. Remark that since answers cannot be rewritten by any program, 
any state in T C (V) has at least one terminating derivation. 



For more details about fixpoints, one can refer, for example, to Lloyd's Book (1987). 
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Example 3.2 

Consider the program V\ consisting of the two following rules: 

a, a •<=>■ true b <t==^> b c false 

We can pick the sets of consistent states of the respective form (a 2t ;C;X) and 
(a 2t , b>; C; X), where d n denotes n copies of a constraint d. Both sets are fixpoints 
of \X.((Ti) a {X) U (£& \ [(0; false; 0)] o )), but only the former is the least fixpoint. 
Note, that no state of the form (a 2l+1 , E; C; X) or (c, E; C; X) are in such fixpoints. 

We next present a theorem that uses fixpoints semantics to reformulate results 
on CSR logical semantics (Fruhwirth 1998; Abdennadher et al. 1999). It says that a 
state that has at least one answer is in the inductive semantics of a confluent CSR 
program if and only if its logical reading is satisfiable within the theory CP. Notice 
that because in the context of this paper, we do not require C to be ground complete, 
we have to content ourselves with satisfiability instead of validity. Nonetheless, we 
will see in Section 5, that satisfiability is particularly useful to express coinductive 
definitions such as bisimulation. 

Theorem 3.3 

Let V be program such that ^ a is confluent. Let (D; E; X) be a state having at 
least one answer. We have 

(D;E; X) £ T C {P) if and only if 3(E) A E) is satisfiable within CP. 
Proof sketch 

As we have said previously, J rC (V) is the set of states that can be rewritten to a 
consistent answer. Hence it is sufficient to prove: 

(E; C; X) A* (0; D; Y) with CP ¥ -.3(D) if and only if CP ¥ ->3(E A C) 

or equivalently, the contrapositive: 

CP N -a(E A C) if and only if (E; C; X) A;(0; false; 0) 

"If" and "only if" directions are respective corollaries of soundness and complete- 
ness for CHR (Lemma 3.20 and Theorem 3.25 in Friihwirth's book (2009)). □ 

Our inductive semantics for CSR has strong connections with the fixpoint seman- 
tics of Gabbrielli and Meo (2009). In contrast to ours, this semantics focuses on 
input /output behaviour and is not formally related to logical semantics, although it 
is constructed in similar way as a l.f.p. over the abstract transition system. However, 
because it does not distinguish propagation from simplification rules, this semantics 
cannot characterize reasonable programs using propagations. Indeed, it has been 
later extended to handle propagation rules by adding into the states an explicit 
token store a la Abdennadher (1997) in order to remember the propagation history 
(Gabbrielli et al. 2008). Nonetheless, such an extension leads to a quite complicated 
model which is moreover incomplete w.r.t. logical semantics. 
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3.2 Coinductive semantics for CPR 

We continue by giving a similar characterization for CPR. This semantics is defined 
by the g.f.p. of a universal version of the cause operator presented in Definition 3.1. 
Hence we call it coinductive. 

Definition 3.4 (Coinductive transition system semantics for CPR) 

For a given program V and an given sound equivalence relation =j, the universal 

(immediate) cause operator \P] i : 2 s — > 2 s is defined as: 

[P]t (X) = {a G S | for all a' G S, cr A, cr' implies cr' G 

The coinductive (transition system) semantics of a CPR program Q is the set: 

T C C (Q) = vX.([Q] a (X) n (£ \ [(0; false; 0>J a )) 

Note that contrary to the inductive semantics, the coinductive one is not just a 
reformulation of the existing semantics. Indeed the universal essence of the operator 
[Q]j conveys that the meaning we give to CPR states relies on all of its derivations, 
whereas the existential essence of the operator (Q) i makes explicit the fact that 
the classical meaning states dependent on existence of a successful derivation. This 
semantic subtlety is fundamental for CPR completeness (Lemma 3.7). 

As it is the case for (Q) i , the operator [Q\ i is obviously monotonic. Our semantics 
is therefore well defined. Notice, that J-^iQ) is precisely the set of states that cannot 
be rewritten to an inconsistent states. As illustrated by the following example, 
states belonging to ^F^(Q) have in general only non-terminating derivations w.r.t. 
the abstract operational semantics. 

Example 3.5 

Let C be the usual constraints theoryover integers and V2 be the program: 

q(X) q(X + 1) q(0) =^ false 

The greatest fixpoint of XX.([V 2 } a (X) H (S \ [(0; false; 0)] o )) is the set of consistent 
states that does not contain a CHR constraint p(X) where X is negative or null. 
Note the empty set is also a fixpoint but not the greatest. Note that states such as 
(q(l); true; 0), which are in the greatest fixpoint, have only infinite derivations. 

We give next a theorem that states the accuracy of the coinductive semantics 
w.r.t. the logical reading of CPR. Remark that for the completeness direction, we 
have to ensure that a sufficient number of constraints is provided for launching each 
rule of the derivation. To state the theorem we assume the following notation (n ■ B 
stand for the scalar product of the multiset B by n): 

V n = {(r @K G I C,n-B) | (r @K => G | C,B) G V} 

Theorem 3.6 (Soundness and completeness of coinductive semantics for CPR) 
Let V be a CPR program and n be some integer greater than the maximal number 
of constraints occurring in the head of any rule of V. We have: 

(n ■ E; C; X) G T^ (V n ) if and only if (E A C) is satisfiable within CP. 
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The proof of the theorem is based on the following completeness lemma, that 
ensures that to each intuitionistic deduction in the theory CV corresponds a CPR 
derivation w.r.t. the program V . In the following, we use the notation T N E — > 
3X.¥ and E 3X.¥ to emphasize that a deduction within a theory T is done in 
the classical logic model framework and the intuitionistic proof framework, respec- 
tively. Fortunately, both lines of reasoning coincide in our setting. This remarkable 
property is due to the fact we are reasoning in a fragment of classical logic, known 
as coherent logic, where classical provability coincides with intuitionistic provability. 

Lemma 3.7 (Intuitionistic completeness of CPR) 

Let V be a CPR program and n be some integer greater than the maximal number of 
constraints occurring in the heads of V. Let E and E (resp. C and H>) be two multiset 
of CHR (resp. built-in) constraints. If E A C \- C v 3X.(¥ AB), then there exist F' 
and W such that (n • E; C; fv(F, C)> (n ■ ¥'; W; Y) and F' A W h c 3X.(¥ A C). 

Proof sketch 

By structural induction on the proof tree 7r of E A C ^cv 3X.(¥ A D). For the case 
where tt is a logical axiom, we use the refiexivity of — ->*. For the case where tt is 
a non- logical axiom from C, we use the definition of = a . For the case where tt is a 
non- logical axiom corresponding to a propagation rule K G | B c , Mb, we choose 
F' = (E, B c ) and D' = (CAGA B b ), and apply r. For the case where tt ends with a 
cut or a right introduction of a conjunction, we use induction hypothesis and the 
fact that constraints are never consumed along a CPR derivation. Other cases are 
more straightforward. □ 

Proof sketch of Theorem 3. 6 

As we have noted previously, J 7 ,P {V n ) is the set of states that cannot be rewritten 
to an inconsistent states. Hence it is sufficient to prove: 

(n • E; C; X) -^(0; false; 0) if and only if CV ¥ -G(E A C) 

or equivalently the contrapositive: 

CV N V((E A C) -> false) if and only if (n • E; C; X) -^(0; false; 0) 

The "if" direction is direct by soundness of CHR. For the "only if" direction, since 
CP is a coherent logic theory (i.e. a set of formulas of the form V(F — > 3X.¥') , where 
both F and F' are conjunctions of atomic propositions), it can be assumed without 
loss of generality that E A C h C7 > false (See Bezem and Coquand's work about 
coherent logic (2005)). The result is then direct, by Lemma 3.7. □ 

The coinductive semantics for CPR, has strong similarities with the fixpoint se- 
mantics of CLP (Jaffar and Lassez 1987). Both are defined by fixpoint of somehow 
dual operators and fully abstract the logical meaning of programs. Nonetheless 
the coinductive semantics of CPR is not compositional. That is not a particular 
drawback of our semantics, since the logical semantics we characterize is neither 
compositional. Indeed, if the logical readings of two states are independently con- 
sistent, then one cannot ensure that so is their conjunction. It should be noticed 
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that this non-compositionality prevents the immediate cause operators to be de- 
fined over the C-base (i.e. the cross product of the set of CHR constraints and the 
set of conjunctions of built-in constraints) as it is done for CLP, and requires a 
definition over set of states. 

4 Transition system semantics for CHR with persistent constraints 

In this section, we aim at obtaining a fixpoint semantics for the whole language. 
Nonetheless, one has to notice that the completeness result for CSR needs, among 
other things, the termination of -^> a , while the equivalent result for CPR is based 
on the monotonic evolution of the constraints store along derivations. Hence com- 
bining naively CSR and CPR will break both properties, leading consequently to an 
incomplete model. In order to provide an accurate fixpoint semantics to programs 
combining both kinds of rules (meanwhile removing unsatisfactory scalar product in 
the wording of CPR completeness), we introduce a notion of persistent constraints, 
following ideas of Betz et al. (2010) for their semantics u\. Persistent constraints 
are special CHR constraints acting as classical logic statements (i.e. they are not 
consumable and their multiplicity does not matter). Since they act as linear logic 
statements (i.e. they are consumable and their multiplicity matters), usual CHR 
constraints are called linear. Because it combines persistent and linear constraints 
in a slightly less transparent way that oj\ , we call this semantics hybrid, and note it 
coh- Due to the space limitations, the (non-trivial) proofs of the section are omitted, 
but can be found in the extended version of this paper. 

4-1 Hybrid operational semantics uj^ 

On the contrary of u)\, the kind of a constraint (linear or persistent) in Uh, is not 
dynamically determined according the type of rules from which it was produced, 
but statically fixed. Hence, we will assume the set of CHR constraints symbols 
is divided in two: the linear symbols and the persistent symbols. Naturally, CHR 
constraints built from the linear (resp. persistent) symbols are called linear (resp. 
persistent) constraints. A hybrid rule is a CHR rule where the kept head contains 
only persistent constraints and the removed head contains only linear constraints. 
We will denote by S p , the set of purely persistent states (i.e. states of the form 
(F;C;X) where P is a set of persistent constraints). V s will refer to the set of 
simplification rules of a hybrid program V, respectively. 

The hybrid semantics is expressed as a particular instance of the equivalence 
based semantics presented in Section 2.3. It uses the abstract state equivalence 
extended by a contraction rule enforcing the impotency of persistent constraints. 

Definition 4-1 (Hybrid operational transition) 

The hybrid equivalence is the smallest relation, =h, over states containing = sat- 
isfying the following rule: 

(c, c, C; B; X) =h (c, C; D; X) if c is a persistent constraints 

The hybrid transition system is defined as the tuple (£, 
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The hybrid programs are programs where propagation rules "commute" with 
simplification rules in the sense of abstract rewriting systems (Terese 2003). In 
other words, derivations can be permuted so that simplification rules are fired first, 
and propagation rules fire only when simplification rule firings are exhausted. In- 
deed, the syntactical restriction prevents the propagation head constraints to be 
consumed by simplification rules, hence once a propagation rule is applicable, then 
it will be so for ever. Of course, number of CHR programs do not respect the hybrid 
syntax and therefore cannot be run in our framework. Nonetheless, what we loose 
with this restriction, we compensate by pioneering a logically complete approach 
to solve the problem of trivial non-termination (see next Theorem 4.8). 

4-2 Hybrid transition system semantics 

We present the transition system semantics for hybrid programs. This semantics 
is expressed by fixpoints over the hybrid transition system. It is built using the 
immediate cause operators we have defined in the previous section. 

Definition 4-2 (Hybrid transition system semantics) 

The hybrid (transition system) semantics of a hybrid program V is defined as: 

l£(V) = uX.{[P] h (X) n ny.((V s ) h (y) U (£ p \ [<0; false; 0)]J)) 

The theorem we give next states soundness and completeness of the hybrid tran- 
sition system semantics of confluent programs, provided the states respect a data- 
sufficiency property. In this paper, we do not address the problem of proving conflu- 
ence of hybrid programs, but claim it can be tackled by extending straightforwardly 
the work of Abdennadhcr et al. (1999) or by adequately instanstiating the notion of 
abstract critical pair we proposed in a previous work (Haemmerle and Fages 2007) . 

Definition 4-3 (Data- sufficient state) 

A hybrid state a is data-sufficient w.r.t. a hybrid program V if any state a' accessible 
form a can be simplified (i.e. rewritten by V s ) into a purely persistent sate (i.e. for 
any state a' E S, if a a', then there exists a sate a" 6 E p s.t. a' ^t" h a"). 

This property ensures there is at least one computation where propagation rules 
are applied only once all linear constraints have been completely simplified. It is a 
natural extension of the eponymous property for CSR (Abdennadher et al. 1999). 

Theorem 4-4 (Soundness and completeness of hybrid transition system semantics) 
Let V be a hybrid program such that V s is confluent. Let (L, P;E; X) be a data- 
sufficient state w.r.t. V . We have: 

(L, P; E; X) e F£(V) if and only if (L A P A E) is satisfiable within CP 

The following proposition states that it is sufficient to consider only one fair 
derivation. This result is fundamental to allow the hybrid semantics to be efficiently 
implemented. 
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Definition 4-5 (Propagation fair derivation) 

A derivation er &i -^h ■ • ■ is propagation fair if for any propagation redex 
r@(K;E;X) of a state Oi in the derivation, there exist two states crj, aj + \ such 
that the transition from o~j to Oj+i is a propagation application where the reduced 
redex is identical or stronger to r@(K; E; X) (i.e. the reduced redex is of the form 
r@{K; F; Y) with C N 3_yF — > 3.^1). 

Proposition 4-6 (Soundness and completeness of propagation fair derivations) 
Let "P be a hybrid program such that V s is confluent and terminating. Let a be a 
data-sufficient state, a G T^ifP) holds if and only if there is a consistent propagation 
fair derivation starting from a. 

4-3 Implementation of the hybrid semantics 

We continue by addressing the question of implementing the hybrid semantics in 
a sound and complete way. For this purpose, we assume without loss of generality 
that the constraint symbols f/1, f/2, a/2, C//1, and c a /l are fresh w.r.t. the 
program V we consider. The implementation of a hybrid program V consists in a 
source-to-source translation V° intended to be executed in the concrete semantics 
u) p . This transformation is given in detail in Figure 1. In order to be executed 
an hybrid state a has to be translated into a concrete state o~° as follows: if L 
and (ci, . . . , c„) are multisets of linear and persistent constraints respectively, then 
(L, d u . . . d n ; D; V)° = «L, f(d 1 ),...,f(d n ), C/ (0), c a (0); 0; ©; 0)}^ 

Before going further, let us give some intuition about the behaviour of the trans- 
lation. If a rule needs two occurrences of the same persistent constraint, step 1 will 
insert an equivalent rule which needs only one occurrence of the constraint. In the 
translation each persistent constraint can be applied in three different successive 
states: fresh, indicated by f/1, frozen, indicated by f/2, and alive, indicated by a/2. 
Step 2 ensures, on the one hand, that only alive constraints can be used to launch 
a rule, and on the other hand, that the persistent constraints of the right-hand side 
are inserted as fresh. Each frozen and alive constraint is associated to a time stamp 
indicating the order in which it has been asserted. The fresh constraints are time 
stamped and marked as frozen as soon as possible by stamp, the rule of highest 
priority (the constraint c//l indicating the next available time stamp). Only if no 
other rule can be applied, the unfreeze rule turns the oldest frozen constraint into 
an alive constraint while preserving its time stamp (the constraint c a /l indicating 
the next constraint to be unfrozen). Rule set prevents trivial loops, by removing 
the youngest occurrence of two identical persistent constraints. From a proof point 
of view, the application of this last rule corresponds to the detection of a cycle in a 
coinduction proof, the persistent constraints representing coinduction hypothesises 
(Barwise and Moss 1996). 

The two following theorems state that our implementation is sound and complete 
w.r.t. failure. Theorem 4.7 shows furthermore that the implementation we propose 
here is sound w.r.t. finite success. It is worth noting that it is hopeless to look for 
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Let V° the program V where simplification and propagation rules are given with 
the priorities 3 and 4 respectively. Apply the following steps: 

step 1 . Apply the following rules until convergence : 

If (p :: c,d,K\M <^> G j B,L,P)) is in V°, with C N 3(c=d) 
then add the rule (p :: c,K\H ^> c — d A G | B, L, P) to V" 

step 2 Substitute any rule (p :: ci , . . . , c m \H <=4> G | B, L, di, . . . d n ) by 
(p :: o(Xi,ci),...,o(X m ,c m )\H <s=> G | B ( , L, /(di), . . . , f(d n )) 
where xi, . . . £ m are pairwise distinct variables 

step 3 Add to V° the rules: 

1 :: stamp @ /(A), c/(Y) <=> /(F, A), c/(F + 1) 

2 :: sei @ a(Y, X) \ a(Z, X) Y < Z \ T 

5 :: unfreeze @ /(V, A), c a (F) <=> a(V, A), c a (Y + 1) 

Fig. 1. Source-to-source translation for hybrid programs 

a complete implementation w.r.t. to success, since the problem to know if a data- 
sufficient state is in the coinductive semantics is undecidable. The intuition behind 
this claim is that otherwise it would possible to solve the halting problem. 

Theorem 4-7 (Soundness w.r.t. success and failure) 

Let V be a hybrid program such that V s is confluent, and let (C;E;A/) -^* V o 
((0;B;F;T))f -f^ V o be a terminating derivation. (C; E; X) e F£{V) holds if and 
only if F is satisfiable within C. 

Theorem 4-8 (Completeness w.r.t. failure) 

Let P be a hybrid program such that V s is confluent and terminating. Let (C; E; X) 
be a data-sufficient state. If (C; B; X) ^ F£(V), then any concrete derivation start- 
ing form (C; D; X/)° finitely fails. 

The implementation we propose has strong connections with the co-SLD, an 
implementation of the g.f.p. semantics of Logic Programming proposed by Simon 
et al. (2006). Both are based on a dynamic synthesis of coinductive hypothesises and 
a cycle detection in proofs. But because it is limited to rational recursion, the co- 
SLD is logically incomplete w.r.t. both successes and failures (i.e. there are queries 
true and false w.r.t. the logical reading of a program that cause the interpreter to 
loop) . That contrasts with CHR, where any coherent constraint system can be used 
without loosing logical completeness w.r.t. failures. 

5 Applications 

In this section, we illustrate the power of CHR for coinductive reasoning when it 
is provided with its fixpoint semantics. In particular we show it yields an elegant 
framework to realize coinductive equality proofs for languages and regular expres- 
sions as presented by Rutten (1998). 

5.1 Coinductive language equality proof 

Firstly, let us introduce the classical notion of binary automaton in a slightly dif- 
ferent way from usual. A binary automaton is a pair (£, /) where £ is a possibly 



( Co- )Inductive semantics for Constraint Handling Rules 



13 



D = (/(Li,(0,L 2 ,L 3 )), 
/(L 2 , (1, L 2) L 3 )), 
/(L 3 ,(1,L 3 ,L 2 )), 
f(K u (Q,K 2 ,K 2 )), 
}(K 2 ,(1,K 2 ,K 2 ))) 

Fig. 2. A binary automaton and its CPR representation. 

infinite set of states and / : £ — >• {0, 1} x £ x £ is a function called destructor. Let us 
assume some automaton (£, /). For any state Le£ such that /(L) = (T, L a , L b ), 
we write L L a , and L A- L&, and t(L) = T. £{L) = {a\ . . .a n \L -^-> L\ ^ 
. . . L n A t(L n ) = 1} is the language accepted by a state L. A bisimulation 
between states is a relation 1Z C £ x £ verifying: 

U{K)=t{L), 
If K TIL then \ K ^ K a , L ^ L a , K a 1ZL ai and 
[K^K b , L^L b , K b TZL b , 

Contrary to the standard definition, in the present setting, an automaton does 
not have an initial state and may have an infinite number of states. As represented 
here, an automaton is a particular coalgebra (Barwise and Moss 1996). Due to the 
space limitations, we will not enter in details in the topic of coalgebra 2 , but only 
state the following Coinductive Proof Principle (Rutten 1998; Barwise and Moss 
1996) which gives rise to the representation of automata as coalgebra: 

In order to prove the equality of the languages recognized by two states K 
and L, it is sufficient to establish the existence of a bisimulation relation 
in £ that includes the pair (K,L). 

A nice application of CPR consists in the possibility to directly represent coalge- 
bra and prove bisimulation between states. For instance, one can easily represent 
a finite automaton using variables for states and binary user-defined constraints 
(of main symbol //2) for the destructor function. Figure 2 gives an example of an 
automaton and its representation as a multiset D of CHR constraints. Once the 
automaton representation is fixed, one can translate the definition of bisimulation 
into a single propagation rule: 

f(L,(L t ,L a ,L b )), f(K, (K u K a ,K b )), L~K => L t = K t , L a ~K a , L b ~K b 

Using coinductive proof principle and Theorem 3.6, it is simple to prove two states 
of the coalgebra represented by D accept or not the same language. For example, to 
conclude that L\ and K\ recognize the same language while L\ and Ki do not, one 
can prove the execution of (3 • (B, L\ ~ K\)\ T; 0) never reaches inconsistent states, 
while there are inconsistent derivations starting from (3 • (D, L\ ~ K2); T; 0). 

2 We invite unfamiliar readers to refer to the gentle introduction of Rutten (1998). 
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5.2 Coinductive solver for regular expressions 

We have just shown that CPR yields a nice framework for coinductive reasoning 
about coalgebra. Nonetheless the explicit representation of an automaton by user 
defined constraints (as in Figure 2) would limit ourselves to finite state automata. 
One simple idea to circumvent this limitation is to implictly represent infinite states 
automata. For instance, one can represent states using regular expressions and 
implement the computation of the destructor function using derivatives (Rutten 
1998). 

Let us assume the following syntax for regular expressions: 

E ::= L | a | b | E, E \ E* L ::= [] | [E\L] 

where a and b are characters, (*) and (, ) stand for the Kleene star and the con- 
catenation operators respectively, and a list corresponds to the alternation of its 
elements. Here follows a possible implementation of the destructor function 3 : 

f(\\,R) R = (0, [],[]). 
f(a,R) ^ R=(0, [01, D). 
f(b,R) i?=(0, [],[[]*])• 

f([E\L],R) ^ R = (T, A, B), f(E, (E t ,E a , E b )),f(L, (L t , L a , L b )), 
or(E t ,L t , T), merge(E a , L a , A),merge(E b , L b , B). 

f(E*,R) ^ R=(l,[(E a ,[E*])],[(E b ,[E*})}),f(E,(_,E a ,E b )). 

f((E,F),R) ^==^ f(E 7 (E t ,E a ,E b )),f conc (E t ,E a ,E b ,F,R). 

f cmc (0,E a ,E b ,F,R) ^ R=(0,[(E a ,F)],[(E b ,F)\). 

f conc (l,E a ,E b ,F,R) ^ R = (T,A, B), f(F,F a ,F b )), 
merge([{E a , F)],F a , A),merge{[(E b , F)],F b , B). 

where or/3 unifies its third argument with the Boolean disjunction of its two first 
elements and merge /S unifies its last argument with the ordered union of the lists 
given as first arguments. Now one can adapt the encoding of bisimulation given in 
the previous subsection as follows: 

L~K^nonvar(L),nonvar(K)\f(L,(T,L a ,L b ))J(K, (T,K a ,K b )),L a ~K a ,L b ~K b . 

We are now able to prove equality of regular expression using the implementation 
of CHR hybrid semantics provided in Section 4.3. For example, the following state 
leads to an irreducible consistent state. This implies thanks to the Coinductive 
Proof Principle together with Theorem 4.4 and Theorem 4.7 that the two regular 
expressions recognize the same language/ 

(((b*, a)*, (a, b*))* - ID*, (a, [a, b}*), ([a, b}* , (a, (a, [a, &]*)))]; T; 0}° 

It should be underlined that the use of simplification rules instead of propagation 
rules for encoding the destructor function is essential here in order to avoid rapid 
saturation of the memory by useless constraints. Notice that on the one hand, the 
confluence of the set of simplification rules needed by the theorems of Section 4 can 



A complete version of program can be found in technical report version of the paper. 
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be easily inferred, since the program is deterministic. On the other hand, termina- 
tion of the the set of simplification rules, which is required by Theorem 4.8 can be 
easily established by using, for instance, techniques we have recently proposed for 
single-headed programs (Hacmmerle et al. 2011). 

Of course, no one should be surprised that equivalence of regular expressions is 
decidable. The interesting point here is that the notion of coalgebra and bisimula- 
tion can be casted naturally in CHR. Moreover, it is worth noticing the program 
given has the properties required by a constraint solver. Firstly the program is ef- 
fective, i.e. it can actually prove or disprove if that two expressions are equal. The 
first part of the claim can be proved using Kleene theorem (Rutten 1998) and the 
idcmpotency and commutativity of the alternation, enforced here by the merge/3 
predicate. The second part is direct by the completeness w.r.t. failures. Secondly, 
the program is incremental: it can deal with partially instanciated expressions by 
freezing some computations provided without enough information. Last, but not 
least, one can easily add to the system new expressions (as for instance e, El, or 
E + ). For this purpose it is just necessary to provide a new simplification rule for 
computing the result of the corresponding destructor function. For example, we can 
add to the program the following rule and prove as previously that a + and (a, a*) 
recognize the same language while a + and a* do not: 

f(K+,R) R = (T, [K a ,(K a ,K+)}, [K b ,(K b ,K+)]), f(K, (T, K a , K b )). 

6 Conclusion 

We have defined a l.f.p. semantics for CHR simplification rules and a g.f.p. seman- 
tics for CHR propagations rules, and proved both to be accurate w.r.t. the logical 
reading of the rules. By using a hybrid operational semantics with persistent con- 
straints similar to the one of Betz et al., we were able to characterize CHR programs 
combining both simplification and propagation rules by a fixpoint semantics with- 
out losing completeness w.r.t. to logical semantics. In doing so, we have improved 
noticeably results about logical semantics of CHR. Subsequently we proposed an 
implementation of this hybrid semantics and showed it yields an elegant framework 
for programming with coinductive reasoning. 

The observation that non-termination of all derivations starting from a given state 
ensures this latter to be in the coinductive semantics of an hybrid program, suggests 
that the statics analysis of universal non-termination of a CHR program might be 
worth investigating. The comparison of CHR to other coinductive programming 
frameworks such that the circular coinductive rewriting of Goguen et al. (2000) 
may suggest it should be possible to improve completeness with respect to success 
of the implementation proposed here. 
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